access-list to prevent access to vlan 1 to vlan 2 and vlan 2 vlan 1

I have configured a Cisco 3550 with IP Routing.
I want to prevent vlan 1 from access vlan 2 and I want to prevent vlan 2 from accessing vlan 1
Say I was using the Ip address range 192.1.15.1 - 192.1.15.254 for Vlan 1 and say I was using the IP address range 192.90.15.1 - 192.90.15.254 for VLAN 2. What would the access-list look like?
henjohn1520Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Don JohnstonConnect With a Mentor InstructorCommented:
In order for two-way communications to work, traffic has to flow in BOTH directions.
0
 
Don JohnstonInstructorCommented:
You may have a couple choices.

1) If those are the only two VLANs on the switch and you don't want them communicating, simply disable routing with the global command "no ip routing". But that's probably no likely.

2) So create the ACL below will prevent the two VLANs from talking to each other.


access-list 1 deny 192.90.15.0 0.0.0.255
access-list 1 permit any
access-list 2 deny 192.1.15.0 0.0.0.255
access-list 2 permit any

int vlan 1
 ip access-group 1 out
int vlan 2
 ip access-group 2 out

Open in new window

0
Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

 
henjohn1520Author Commented:
What if I wanted to allow one ip address from vlan 1 to access vlan 2?
0
 
Don JohnstonInstructorCommented:
The you would add that one address as a permit BEFORE the deny statement of the network.

i.e.

access-list 2 permit 192.1.15.74 0.0.0.0

0
 
henjohn1520Author Commented:
When I set the permit statment to allow one computer from vlan 1 to access vlan 2, the computer from vlan 1 has access to vlan 2 computers and all vlan 2 computers have access to the one computer from vlan 1 that was given access to vlan 2. Why is that? Could an extended access list be used instead of a standard standard access list.
0
 
Don JohnstonInstructorCommented:
> When I set the permit statment to allow one computer from vlan 1 to  access vlan 2, the computer from vlan 1 has
> access to vlan 2 computers  and all vlan 2 computers have access to the one computer from vlan 1  that was given
> access to vlan 2.

From your previous post:
>What if I wanted to allow one ip address from vlan 1 to access vlan 2?

I took that to mean ONE computer on vlan to access ALL computers on VLAN 2.

Did you want something different?
0
 
henjohn1520Author Commented:
Ok. I wasn't sure how it was suppose to work. Just trying to understand how it works. And the reason I need one computer to have access to the other vlan is because I need my computer to be able to logon to maintain the other network.

Thanks for you help.
0
All Courses

From novice to tech pro — start learning today.